proto-tinker-wc shipped Qix wallet drainer
Part of the Qix phishing shipped wallet drainers campaign
proto-tinker-wc 0.1.87 was reported with the same September 2025 npm wallet-drainer campaign. The malicious npm release put browser-side transaction manipulation code into a legitimate package path.
Story
proto-tinker-wc was a small follow-on artifact in a much larger September 2025 npm compromise. Public reporting and ecosystem advisories tied version 0.1.87 to the same phishing-driven wallet-drainer campaign that first surfaced through Qix-maintained packages.
The package is recorded separately because its maintainer and distribution surface differ from Qix, DuckDB, Prebid, and CoveOps. That distinction matters for responders: each package name creates a different lockfile query, cache check, and owner notification path.
The malicious release put browser-side transaction-manipulation code into a legitimate npm package path. In the Qix campaign, that family watched wallet and web3 activity and attempted to redirect transaction destinations to attacker-controlled addresses.
This page preserves the proto-tinker-wc package coordinate, version, hash, and September 9 exposure date. The parent [[qix-npm-phishing-2025]] record carries the shared phishing infrastructure, wallet-drainer behavior, and cross-package timing.
Affected Artifacts
- Observed
- 2025-09-09
- Compromised Versions
- Fixed
- Not listed
Incident Context
- Motive
- Financial Gain
- Attribution
- Group
- Cause
- Social Engineering
- Transitive
- No
- Actor
- Third Party
External References
- New compromised packages identified in largest npm attack in historyjfrog.com
- Qix npm package supply chain compromisethreats.wiz.io
- Malicious code in proto-tinker-wcosv.dev
- Embedded Malicious Code in proto-tinker-wcsecurity.snyk.io
Source record: oss/attacks/proto-tinker-wc/meta.yaml